The Host Unknown Podcast - Episode 170 - The No Show Notes Episode
Episode Date: October 6, 2023This week in InfoSec (08:56)With content liberated from the “today in infosec” twitter account and further afield2006: The http://wikileaks.org domain name was registered, though the first documen...t wasn't posted to WikiLeaks until December.Assange taken from Ecuador embassy in April 2019, since been staying at his majesty’s pleasure at Belmarsh.2005: The Samy worm, the first self-propagating cross-site scripting worm, was released onto the mega-popular MySpace by 19-year-old Samy Kamkar (@samykamkarHe's since made numerous impactful security and privacy field contributions. https://en.m.wikipedia.org/wiki/Samy_Kamkarhttps://en.wikipedia.org/wiki/Samy_(computer_worm)The worm itself was relatively harmless; it carried a payload that would display the string "but most of all, samy is my hero" on a victim's MySpace profile page as well as send Samy a friend request. When a user viewed that profile page, the payload would then be replicated and planted on their own profile page continuing the distribution of the worm. MySpace has since secured its site against the vulnerability.[1]2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault. https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.htmlIt took 960 hours (40 days) between Equifax finding out about the breach and warning the public. Millions of people’s data in US, UK, and elsewhere stolen.Three Equifax execs sold $1.8 million of stock days after breach discovery Rant of the Week (17:16) https://www.theregister.com/2023/10/04/onedrive_to_acquire_copilot_skills/Microsoft is to overhaul OneDrive in a move that will bring Copilot to the cloud storage service and herd users towards the tool's web interface.Inevitably, Copilot skills are due to arrive in OneDrive. Microsoft hopes these will help users find files and stay organized. Worryingly, in the example given, Copilot can move files around and create folders depending on its interpretation of the user's instructions. What could possibly go wrong? Billy Big Balls of the Week (26:06)EXCLUSIVE A four-hour system interruption in September at the Veterans Affairs Medical Center in Kansas City, Missouri has been attributed to a cat jumping on a technician's keyboard.So we're told by a source, who heard the tale on one of the regular weekday calls held by the US government department with its CIO, during which recent IT problems are reviewed. We understand that roughly 100 people – contractors, vendors, and employees – participate in these calls at a time.On a mid-September call, one of the participants explained that while a technician was reviewing the configuration of a server cluster, their cat jumped on the keyboard and deleted it. Or at least that's their story.Kurt DelBene, assistant secretary for information and technology and CIO at the Department of Veterans Affairs, is said to have responded on the call with words to the effect that: "This is why I have a dog." There was laughter and not much more – it was a short incident report.https://www.theregister.com/2023/10/05/hospital_cat_incident/ Industry News (31:30)Apple Issues Emergency Patches for More Zero-Day BugsRecord Numbers of Ransomware Victims Named on Leak SitesCISA and NSA Tackle IAM Security Challenges in New ReportScammers Impersonate Companies to Steal Cryptocurrency from Job SeekersCritical Glibc Bug Puts Linux Distributions at RiskUS Government Proposes SBOM Rules for ContractorsChina Poised to Disrupt US Critical Infrastructure with Cyber-Attacks, Microsoft WarnsGoldDigger Android Trojan Drains Victim Bank AccountsLightSpy iPhone Spyware Linked to Chinese APT41 Group Tweet of the Week (40:56)https://twitter.com/infosecmo/status/1709289777973883000?s=61&t=UAjRqPj0iqNyKsG8ZaAiig Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Andy had one job, one job, which is get the show notes out.
And what have we been doing for the last 45 minutes?
Instead, he sent his stunt double.
Is this like in those films with a stunt double of a woman
and you pause it and she's got a moustache and different hair and is obviously a foot taller.
I have this picture of you now, Tom, in the 80s with your VCR,
pausing movies at particular points and being disappointed
by a woman's moustache.
There was a website that used to do that in the 80s.
It told you all the points where you could pause a movie
You're listening to the Host Unknown Podcast
Hello, hello, hello, good morning, good afternoon, good evening
From wherever you are joining us.
And welcome, welcome one and all to episode 100 and...
Oh, he's not here, is he?
74.
Thank you.
174.
Of the Hosts Unknown podcast. I know, it just feels wrong, doesn't it, Graeme? It just feels wrong.
And yes, we do not have an Agnes here.
We have a Cluley.
We have a Cluley.
For once, we have a Cluley.
Hello, hello, everybody.
Great to be here.
Yes.
That's not what you were saying just before we went on air,
but that's absolutely fine.
And thank you for maintaining that veil over the quality
and professionalism
of the Host Unknown podcast.
Yes.
Well, I'm just pleased I got up early for this.
That's all I can say.
You know, all I can say is when people want exposure,
they go on Smashing Security.
When Graham wants exposure, he comes on Host Unknown.
And what good does it do me?
We pay you in exposure, Graham.
People die of exposure, Jav.
Well, after what you just exposed to us, yes.
That's why we had to turn your camera off.
Anyway, let's go round the table, shall we?
Jav, how are you this fine morning?
I'm really good.
You know, I don't know why Andy makes such a big deal
about the show notes and everything.
We got it together in, like, five minutes flat.
Yeah.
We have a great co-host.
It took only 50 minutes between the three of us.
It was not a problem at all.
I mean, he had one job, right?
He did, he did.
But no, I for one am glad we've got Graham with us today.
I feel quite honoured.
Normally I'm the one that's off and Graham's dimps in for me,
but, you know.
Well, I know the Duchess of Ladywell would be pleased
that you're on, Graham.
Ah, yes, Mrs Langford.
Hello, Mrs Langford.
Lovely to be in your ear roll
That just sounds so bad
It does
Anyway, what else have you been up to Jav?
I've been trying desperately
to, I've just looked at my calendar
and the most interesting thing on there is
I had a blood test this week
but other than that, not a lot.
Was it a paternity suit or what's going on?
No, no, no.
Oh, no, Jaff can't do that anymore.
Not anymore.
Together we are the Jaffa Brothers.
Oh, you can include me in that, actually.
So there we are.
Oh, my God.
Yes, yeah.
There we go.
Apparently, though.
Host on our podcast, guaranteed to not get you pregnant.
No, there's no guarantee.
Apparently, it just changes the colour of the baby.
It doesn't stop you.
Oh, God.
Allegedly. Alleg God. Allegedly.
Allegedly is what
my lawyers are saying. I'm
just going to move away from the litigious
side of the room to the other side.
Graham, how the devil are you?
Well, I'm all right.
I'm all right. I went to Sweden
to do a talk a few weeks ago
and I came back.
Well, yeah, you know, that sort of thing happens in my jet set life.
And so I went and did that.
That's fantastic.
And I've got another event coming up soon overseas.
And I thought, oh, I better get my passport ready.
Couldn't find my passport anywhere.
Couldn't find it anywhere.
Looked at everything, looked in my jackets.
I've moved house recently.
I thought, oh, my goodness, where have I put it?
Where have I put it?
And eventually I thought, well, I'm going to have to apply quickly
for a new passport. So I told
the passport office that I've
lost my passport. They cancelled it.
And now I have to go to
bloody Wales to
pick up a new passport
with the form. So I have to drive all
the way there. And of course, you know what happened?
I found my old passport. You found it.
I found my old passport.
Where was it?
In my jacket pocket.
Even though I'd done a very thorough man look on a number of occasions.
I mean, you kind of tapped it all over, didn't you?
Exactly.
And, of course, I can't uncancel it.
I still have to go to...
So I'm off to Wales tomorrow to hand in a form
and hope they'll give me a passport.
Oh, I was going to say, if you're driving past me,
you should drop in, but I'm not going to be here.
Oh, I'll let myself in.
I like to let myself in, you know.
Oh, do, do.
Just for a little relaxation, you know,
sort of roll around in your bed, that kind of thing.
Oh, no, Graham, Graham, Graham.
No.
Don't worry.
All the ideas.
I'll cover myself in, I'll be wearing a hazmat suit, obviously.
What are you saying?
I change my sheets regularly for a man.
I don't want to know about your regularity with your sheets.
That's the last thing we need to hear about.
That's between me and my proctologist.
Okay, okay.
Anyway, Tom, what about you?
What have you been up to this week?
Not a lot.
I have had COVID, would you believe oh no i was feeling a
little bit funny last friday night um and then woke up saturday morning absolutely well i could
barely get out of bed and yeah i had covid and it's it's the third time i've had it and it knocked
me off my feet i have to say i'm only just starting to feel capable of of doing anything
really um but even just sort of getting up and walking from here to the kitchen gets me out of
breath so it's it's really standard covid stuff you know so i'm you know i'm okay the lemsip
industry is alive and well thanks to me this week um but But, yeah, I've been off for much of it, actually.
Are you sure you're capable of doing a podcast?
Well, you know, I'm propped up here with another Lemsip
and the mute button for when I'm coughing my guts up and out of breath.
But, yeah, I will occasionally be breathless, but you know,
unlike some on this podcast, Andy, you know, I,
I see things through, you know, and I, you know, I'm committed to the cause.
Yeah. Great. Graham, that is a question.
I think I should have asked Tom like many years ago and it would have saved me
much, much heartache
and talking of heartache shall we see what we've got coming up for you today on these hastily
pulled together show notes that don't have all the words in and i'll be making up as we go along
so this week in infosec is about uh well, it's leaking everywhere, frankly.
Rant of the Week talks about how we can trust the machines to all of our most sensitive data.
Billy Big Balls is about the dog ate my homework.
Industry News brings us the latest and greatest security news stories from around the
world. And Tweets of the Week
talks about something
wonderfully Danish.
I don't know why. I was about to say, why, Mr.
Kipling, you are spoiling us. But that's not
that kind of Danish, is it? Or
Kipling doesn't even do Danish. Anyway,
anyway, without
further ado ado let's
move on shall we to our favorite part of the show it's the part of the show that we blatantly ripped
off and called this week in infosec Ah, that's a tune I like to hear.
Yes, indeed.
This week in InfoSec, we've content liberated from the Today in InfoSec Twitter account
and further afield.
It is my pleasure to bring you today.
And let's go back in time an incredible 17 years to 2006
when the wikileaks.org domain name was registered.
Although they didn't.
2006.
I know, a long time ago, 17 years.
Can you believe we're all getting so, so old?
I thought it was earlier than that, though.
No, did you?
Yeah, I did.
You're probably mixing up with the Crimean War
and other things that you probably have in your murky past, Tom, perhaps.
Yes, so Wikileaks.org was registered in 2006 as a domain name,
although the first document wasn't posted to Wikileaks until December.
Now, I don't know if it is Julian Assange himself.
Julian Assange, don't you love that name?
Julian Assange,
who actually registered the domain name
Assange, a monkey, as
they say in La Belle France.
Julian Assange.
And of course, Julian,
we haven't seen much of him lately, have we?
Because, of course, he was escorted
from the Ecuadorian embassy in April 2019.
It was either him or Uncle Albert from Only Fools and Horses.
I guess, you know, in deference to the Ecuadorians,
there's only so many bottles of piss you can get used to moving out of his room
at any one time, right?
They did have an unusual series of complaints
about the way he was decorating his little office there
in the Ecuadorian embassy,
and they got a little bit fed up with it, didn't they?
Yes.
It was something akin to what was probably going on...
But we didn't give you any paint, Julian.
Why is everything so brown?
Yeah, it was a bit like H-Block in his prison
back in Thatcher's time, I think.
But anyway, so since then,
he's been staying at His Majesty's Pleasure at Belmarsh,
where hopefully he hasn't been decorating the walls quite so much.
But he's been there a long time, hasn't he?
I mean, I think this is why they're still arguing
as to whether they're going to extradite him to the States or not.
But obviously...
What's very interesting, I think, is just how much everybody doesn't care anymore.
Well, I mean, yeah, I do get press releases regularly from Julian Assange's sort of campaign
team asking that we should raise this issue in the media.
But it was a very important issue at the time, wasn't it?
Because he was leaking these documents and sensitive military stuff from the media. But it was a very important issue at the time, wasn't it? Because he was leaking these documents
and sensitive military stuff from the US
and drone footage and so forth.
And he very much believed in everything being free
and available.
And later on, he did begin to become very, very anti-US.
And of course, he was potentially helping the Russians
in terms of the information he was leaking after the hack of the Democrats as well.
But a strange period in history.
Anyway, let's go back even further, back further in time, 18 years to 2005.
Wow.
When Sammy, I don't know if either of you were ever on MySpace, which I think still exists, MySpace.
I wasn't. I'm sure Jav was because it's for all the egotistical people, isn't it?
Right.
I might have registered. I don't think I actually... No, I don't know. Not MySpace. I didn't jump on that trend. In this week, in 2005, 19-year-old called Sammy Kamkar wrote The Sammy Worm, which spread.
It was a self-propagating, cross-site scripting worm, which was released onto MySpace, sent messages around, said,
but most of all, Sammy is my hero, which was on Victim's profile pages, and it sent Sammy a friend
request. I think he was planning to become the most popular person on MySpace. So technically
a worm, but Sammy Kamkar, since then, has done a lot of cool kind of work in the cybersecurity field.
He's found vulnerabilities. He's demonstrated how things can be exploited he's a
an interesting guy he's worth watching on youtube i'd say he for instance he wrote um a thing called
skyjack which was a custom drone which could hack into nearby other drones and allow them to be
hijacked so he's he's done some interesting work but all those years ago, Sammy Kamkar was writing worms for MySpace.
And finally, this week in InfoSec, we've got another one.
Another one.
Six years ago, in 2017, well, what happened was the former CEO of Equifax,
a week after he retired as a result of Equifax's data breach, he told Congress
the whole attack was the fault of one single person in the IT department. Not on this case,
an intern. Not an intern on this occasion, I think. I think it was someone else, maybe.
It's still the intern kind of, you know, the intern attack, as it were.
It was the thought of let's blame the intern.
Let's blame someone junior for what happened.
It took, by my estimations, 960 hours between Equifax finding out about their breach and warning the public.
40 days it took them.
And it impacted well over 100 million people.
And the thing with shock horror, yes,
that would never happen normally, would it, in a breach?
The thing about Equifax, of course, is they had your personal data,
even though you had nothing to do with them,
because they were a credit monitoring, still are a credit monitoring agency.
So you'd never heard of them them but they knew all about you and uh one of the curious things
was it was found that three equifax execs sold nearly two million dollars worth of stock
just days after the breach discovery but weeks before it was made public i'll leave
just a just a leave just a fact.
Just a fact.
I'll let you decide what that means.
We're just asking the questions here.
We're not accusing anyone of anything.
Yeah.
We're just asking the questions.
We're asking the questions.
And that was this week.
That was this week in InfoSec.
This week in InfoSec.
Feeling
overloaded with actionable information?
Fed up receiving well-researched
factual security content?
Ask your doctor
if the Host Unknown podcast is
right for you.
Always read the label, never double dose on episodes.
Side effects may include nausea, eye-rolling and involuntary swearing in anger.
Not unlike what we had from Graham when we said we were going to get a cup of tea.
Couldn't believe it. That was after about 50 minutes of messing around.
Now we're getting a cup of tea.
You can't have a podcast without a cup of tea, can you, Jav?
Carole warned me.
Carole warned me about what goes on.
You should have warned yourself.
I mean, crikey, you've been on here often enough.
I've even bloody sponsored this podcast.
Yeah. How do you think we could have formed a team this podcast. Yeah.
How do you think we could afford the tea?
Yeah.
That money went straight to a massive...
We went to Costco, got the biggest bag of Yorkshire tea we could.
Split it three ways.
And a huge box of gummies for Andy.
Ah. Ah.
Right.
Before Graham starts going off on a rant,
I think I best squeeze one in first, as they say.
So let's check out...
Listen up!
Rant of the week.
It sounds a mother...
Rage!
So, the rise of AI.
There's films out there.
The Creator, I think, is the latest film
that talks about the threats of AI and et cetera
in a very dystopian future where mankind,
humankind is fighting a very kinetic war
against AI and robots
and all that sort of thing.
And I've been on a few – I've had a few conversations with people
who apparently know about this stuff.
And we've definitely – we've sort of termed this year as almost
like the inflection point of AI from – it was about this time last year
when ChatGPT was released, or ChatGPT 3,
and there's been a boom, a massive boom of AI.
And so we see ourselves, 2023 is the year of, you know,
the inflection point of when AI becomes the big thing.
And, you know, all joking aside, or maybe joking, I don't know,
but all joking aside, it remains to be seen if AI is going to, you know, take over and enslave us and all that sort of thing.
However, not letting any kind of popular culture or even common sense get in the way, Microsoft, who has been quite the forefront of AI development.
In fact, it was Satya Nadella who said,
tell Google we're coming to eat their breakfast.
Was that the phrase? I think it was.
Which I thought was, you know, in fact, that was a Billy Big Balls,
I think, one time.
So, you know, they are very, very keen on winning the AI race,
or whatever that means.
It's a bit like Sony and Blu-ray.
They were not going to be Betamaxed out of this
by some upstart HD DVD.
I don't remember that race.
And now look where you are, Blu-ray.
But they are going to pour money into this.
Microsoft are going to overhaul OneDrive. Overhaul, does that mean it's
going to work properly? In a move that will bring Copilot to the cloud storage servers
and herd users towards the tool's web interface. Okay, so for those that don't know, Copilot,
which is actually quite a clever name, is their term for their AI.
So you can get Copilot in their office products now.
It's basically Clippy on steroids.
But it's their AI interface that allows you to create content, blah, blah, blah.
They're going to bring it to OneDrive.
So inevitably, these Copilot skills arriving in OneDrive,
Microsoft hopes that these are going to help users find files and stay
organized. In the example given, however,
Copilot can move files around and create folders depending on its
interpretation of the user's instructions.
Oh, my God.
What?
I mean, frankly, what's wrong with just dumping everything
into one folder and letting search find it?
I mean, for a start, I mean, let's face it, you know,
you know those people who have got mail folders
for every single topic and their inbox is completely
empty and every time they read an email they move it into the relevant box those people need to get
a life god dear that's why god invented search jav i can see you gritting your teeth there thinking
that's you or knowing that's you but uh that's why god invented search you put in random search
phrases and then say no i, I can't find it.
I can't, I obviously haven't got it.
You know, you don't want evidence that you've kept something.
Anyway, so OneDrive, OneDrive Copilot is going to manage all this for you,
which is really quite scary because if it's creating folders,
it could be creating folders with misleading names it could be deleting files um i mean hopefully it knows just to delete the
incriminating ones right and also is it does it know when when to do it does it know the difference
between an fbi agent tapping on your keyboard and you just looking for something um But this does not feel like a good thing to be releasing
to the public right now.
I'm stating it here on this very public and popular show
that I think we're going to see a lot of even data fabrication
at some point.
If it can create folders, what's to stop it from creating files and
then what's to stop it from you know creating additions to those files and then embedding that
in such a way that you don't know that those changes have been made but i i find this a little
bit concerning um obviously i'll be installing it straight away just to give it a whirl.
Because whatever.
It couldn't make a worse hash of my filing system, let's face it.
But, yeah, this is troublesome at best.
This potentially is going to rewrite your personal history, right?
Okay, Boomer.
You know, I was just thinking as you were explaining it,
and I thought these are all pretty much features.
You mean reading it from the show notes?
No.
These are pretty much all features that are in something like Google Photos
or something.
When you go there, it's got them chronologically listed.
It recognizes faces.
So you say, I want to find all pictures with Tom Langford in it,
and it shows me pictures of Tom and every other bald white man
I've ever taken a picture of.
But beyond that, yeah, but it creates these collections for you.
So like this day in history or what have you, this day three years ago
or a trip to the Lake District or what have you, year this day three years ago or a trip to the lake district
or what have you it creates all of these for you this is all the same thing it's just ways of
organizing so i just like that's that's not ai sort of artificially you know creating data
in there that's that's just looking at metadata and sorting that's just looking at patterns
i think this picture of andrew agnes looks like tom langford circa 2013
yeah and i don't think there's anything that you've said that that that is any different the
only thing is it creates a folder and it goes goes in there. No, it says, for example.
It's going to be moving, for example.
So if it's moving files, it's got access to the files.
Then it's going to start writing to the files.
It's going to start altering files.
Well, you're really making a big assumption here.
The leap of logic is just like shoots up higher than your blood sugar than like, you know, after you've had a Yorkie bar. It just doesn't make sense.
load of pictures called andyblackmail.jpg and the and the co-pilot says well i will shove all of these into the blackmail folder that's all right isn't it do we know that it's doing much more than
that no but when has this podcast ever let the truth get in the way of a story. Right, right. Okay, fair enough.
God, I tell you what,
Jav, you can tell he's new to this.
I know, I know.
We've got so much to teach him.
Also, Graham, we like to use more
inclusive terms these days, woke terms,
so blackmail I don't think is a
good term to use.
Sorry, blockmail.
Yeah, we call it blockmail or extortion
is the more appropriate term to use sorry block mail yeah we call it block mail or extortion is the more appropriate
term to use i do apologize i'm sorry yeah rant of the week
if you work hard research stories with diligence and deliver well-edited award-winning studio
quality content for high-paying sponsors then you too can be usurped by three idiots who know I wonder if you could tell when we had that one commissioned.
And who it was for.
Right, let's move on, Jav.
It's your turn to make a fool of yourself.
It is.
Yes, yes, yes.
So back in school, you'd always fondly look at the guy
that would come up with the most ridiculous excuse
as to why they haven't done their homework
or they messed something up.
You know, it'll be like
the dogs ate the homework or my gran died for the seventh time in two years so I can't make it into
this or I couldn't revise and what have you and bloody bloody blah and you always think you know
that that's a billy big balls move that you know you know they're lying they know they're lying
the teacher knows they're lying but they still have, the audacity to go out and, and say it.
And we, we,
we have something similar where like a four hour system interruption happened
in September at the Veterans Affair Medical Center in Kansas City,
Missouri.
Affair Medical Center in Kansas City, Missouri. And what happened is that we're told by a source who heard the tale that there's a government department with its CIO reporting during which
recent tech IT problems are reviewed. There's about 100 people on the call at the time,
contractors, vendors, and employees.
And in the middle of the call, one of the participants explains
that while a technician was reviewing the configuration
of a server cluster, their cat jumped on the keyboard
and deleted it.
keyboard and deleted it.
So, I think I've heard it all.
That's impressive.
I mean, it's a brilliant excuse, isn't it?
It's wonderful.
It's wonderful, because whenever we've made...
I mean, we've all done it, haven't we? We've all deleted
files in the wrong folder.
We've all zapped something we shouldn't have
or forgot to plug a thing.
If we can blame a dumb animal on this behaviour
and then we can report to the people on the call
that we've now had the cat put down as punishment
or it's been...
It's no longer going to be having as much kitty cat
as it used to have or...
I've turned my cat into, ironically, a mouse pad.
No, no, no.
I've subjected my cat to 40 minutes of mandatory security awareness training
and it now knows not to touch keyboards.
It knocked the laptop off the table.
Yeah.
Now, Jeff, this is a Billy Big Balls of the week.
Is it the case that the cat,
the way in which it hit the buttons,
was because it hadn't been properly neutered
in some fashion?
Yes.
Do you know what?
I was about to say just that.
That's exactly the story.
That's exactly the story.
Right.
And the Kurt Delben, Del Bean, Del Ben, Assistant Secretary for Information and Technology and CIO at the Department of Veteran Affairs,
is said to have responded on the call with words to the effect of, this is why I have a dog.
There was laughter and not much more it was a short incident report
as i think all incidents reports should be short and to the point yeah yeah i like this because i
have to say it's quite a harmless story i quite like that i mean apart from you know all of that
data being deleted and the server cluster being destroyed and millions of dollars of taxpayers' money
that was required to repair it.
But outside of that, I think it's a lovely, whimsical, harmless story.
It is.
Next year, they'll be blaming Copilot for deleting their files.
Exactly.
This isn't normally what I expect from Jav, though,
in the Billy Big Balls of the Week.
Isn't it normally something which is saying,
well done to some hacking group or some side of criminals
for committing some enormous offence?
So are you in favour of this cat, Jav?
Are you defending this cat?
Absolutely.
The cat gave a very good lesson to everyone that, you know,
insider threats are real and they can come from non-humans as well.
Oh.
Very good.
I just love that analogy and the sound it makes
as it's being stretched over my head.
That's brilliant.
Nice.
Excellent. Thank you, Jav, for this week. Billy Big Balls. that's brilliant nice exit
thank you
Jav
for this week
Billy Big Balls
of the Week
The Host Unknown Podcast
Orally delivering
the warm and fuzzy feeling
you get
when you pee yourself
and talking of relaxing at just the wrong time
of the day, Graham, what time is it? Oh, it's that time of the show where we head to our news
sources over at the InfoSec PA Newswire, being very busy bringing us the latest and greatest security news from around the globe.
He's such a pro. He's so good. He's brilliant.
Industry News.
Apple issues emergency patches for more zero-day bugs.
Industry News.
Record numbers of ransomware victims named on leak sites.
Industry News. Record numbers of ransomware victims named on leak sites. Industry News. CISA and NSA tackle IAM security challenges in new report. Industry News. Scammers impersonate companies to steal
cryptocurrency from job seekers. Industry News. Critical GLIB-C bug puts Linux distributions at risk. Industry news.
US government proposes S-bomb rules for contractors.
Industry news.
China poised to disrupt US critical infrastructure with cyber attacks, Microsoft warns.
Industry news.
Gold digger Android Trojan drains victim bank accounts.
Industry news.
Light spy iPhone spyware linked to Chinese APT41 group.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Huge if true.
Huge.
Right.
Huge. Right.
Huge.
Now, this is me correlating here.
Maybe causating, I don't know.
China poised to disrupt US critical infrastructure with cyber attacks, Microsoft warns,
just before it releases Copilot for OneDrive.
Ha ha.
I think they're covering themselves.
So when it goes wrong, yeah, they blame the Chinese.
We warned you, China.
So I didn't know, Graham, you used Android.
What? Why are you saying this?
What were you going about?
Well, this gold digger Android Trojan Drain's Victim's Bank account.
Are you claiming I'm a gold digger?
I'm not into all that modern music.
What?
Is a gold digger some sort of rap thing?
I don't know.
Gold diggers was a club in my town.
I just say the words.
I just read the autocue.
That's all I do.
I'm just being Andy this week.
Fuck you, Cincinnati.
Hey, have you noticed?
So, Tom, you're a big Apple fan.
Are you enjoying your daily update to the operating system at the moment
as they deal with more and more zero-day bugs?
First thing I do every morning, like a good concerned citizen.
These things happen, right?
You either wait until 0.06 or whatever of the operating system
before you update to the next major version,
or if you do go to the next major version straight away,
then you pay the price by doing updates.
made your version straight away, then you pay the price by doing updates.
Have you managed to time your daily updates with your 5am visit to the lavatory?
5am? Are you talking about my second visit or my third?
No, you never do it overnight like that. That's the prime time to watch TikTok or Instagram Reels,
as Tom would probably.
You never update it at 5am.
I can't do TikTok.
Did you hear about that, Graham?
I'm sure you did.
So, yeah, you're no longer on TikTok.
What happened?
I got banned after a week.
A week?
What did you do?
Apparently, I constantly went against their community guidelines by following three
people and posting nothing. I think we're all curious as to which three people you followed,
and that may have been the reason. So one of them was the etiquette guy. I've forgotten his name
because I can't see him anymore. The other one was my daughter, who's racking up literally millions of views on some of her TikToks,
which is why I joined in the first place.
And then 20 minutes before I got banned, I followed Jeff.
Ah, right.
Now, I think we can begin to...
Correlation is not causation.
He swears blind he had nothing to do with it but i i don't know i have nothing to do with that fine just stating the facts here you know i'm
just asking the questions and and refusing to accept the answers. Anyway, what else have we got here?
Oh, yeah.
CESA and UNSA tackle IAM security challenges in new report.
Crikey.
I'm in the industry and I'm struggling to understand this.
Exactly.
That's a hell of a headline.
Does anyone know what an S-bomb is?
A software bill of materials.
Ah.
Ooh.
I was thinking of F-bombs, but they're something which we don't allow on the podcast.
Yeah.
Right.
Now, don't ask me what that actually means in the details.
So, software bill of materials is purely just, well, just that.
It's a list of the software you're going to use for contractors, right?
Okay, all right.
So the government's saying this is what you have to use
or you can't use any software outside of this list.
Yeah, exactly.
As I understand it.
But they're only just doing this, really?
Would that also include which security software contractors are allowed to use
and which ones maybe they're not allowed to use?
I imagine they're not allowed to use Kaspersky.
No.
No, because he's got a funny sounding name, right?
What else have we got here?
Scammers impersonating companies to steal cryptocurrency from job seekers.
So people looking for jobs are being asked to send crypto.
I mean, seriously, does anyone...
Who forfeits for this?
What is this?
I haven't looked at the story, obviously.
I'm purely going by the headline.
We just need to...
Yeah.
But, yeah, you think...
Well, one, bleeding obvious, they're scammers,
and so therefore they're looking to steal crypto or whatever, right?
But how do you do it from job seekers?
I mean, like, is this on LinkedIn?
Hey, send me some Bitcoin and we'll get you a job.
What?
And the sort of people who would fall for that,
are they the ones that could actually even generate crypto?
Or even, I mean, crikey, I don't even know how to get a bloody wallet of crypto.
I just do it through an app.
It seems to be so easy for these cyber criminals to make money.
I wonder if the UK government has considered maybe learning a few tricks
in order to get their train line built all the way up to Manchester.
I mean, is it really that tricky?
I don't know.
It's a strange thing, isn't it?
Well, first of all, you need competent project managers.
And that's it, really.
That's all you need.
And people who will actually price things out properly. And people who will review proposals and bids to see whether one company is deliberately undercutting another just to get the business and then only to put the costs up later.
But it does seem like these massive projects constantly overrun and constantly overspend.
You'd think we'd have learned by now.
I don't get it.
I don't get it.
Talking of overrunning, I've been here an hour and a half now.
No, you haven't.
We're only 40 minutes in.
Anyway, that was The Streaks.
Uh-huh.
Industry News.
Industry News In 2021
you voted us the most
entertaining cyber security content
amongst our peers
In 2022
you crowned us the best
cyber security podcast in Europe
You are listening to
the double award-winning Host Unknown
podcast. How do you like
them apples?
In 2023.
How do you like them apples, Graham?
Hang on, hang on. Tom, you're holding
up to your camera some kind of award.
Is that the 2023 award
there? Yeah, the 2023
award that the sole founder of Host
Unknown holds in his hand for most entertaining blog.
Oh, no, wrong one.
Maybe it's this one.
Didn't know you had a blog.
The all-rounder.
There we go.
In my hands are the awards for 2023.
For which podcast?
That's neither here nor there because they're in my possession.
Very nice.
Thank you.
Both for smashing security.
They're taking up real...
I'm going to start charging interest, you know.
Prime real estate they're taking up.
They are.
Yeah, that's room that could be taken up with Lego in your house,
couldn't it?
Not far wrong, actually.
I have put up shelves especially for it.
Right, shall we move on to the final part of the show?
Graham, why don't you take us home with...
Sweet of the Week.
And we always play that one twice.
Sweet of the Week.
X of the Week.
Are you going to rename that jingle?
Well, we did ask Andy to,
but since he's obviously not capable of doing his day job
or doing the bare minimum that we ask him to,
then I don't know.
No, we'll leave it tweet of the week,
and then in five years' time, people will be like,
yeah, why do they call it tweet of the week?
It's a really good section, but why do they?
And no one will know the history behind it.
It's like the save icon, where kids have never seen a floppy disk,
but they know that's a save.
Well, Tweet of the Week this week comes from friend of the show,
InfoSecMo, who has posted...
Well, he's actually retweeted.
He's retweeted a message posted on Twitter by a chap called Will Manidis.
And what Will points out in a form of a beautiful
graph is that he has analysed the last 20 years of VC returns, how much money the VCs are making,
compared to second-hand Lego pricing. And it turns out that if you randomly purchase sets of Lego, you will actually massively outperform the biggest VC firms.
And Mo has actually posted this message to Tom saying, so this is why you hold one of the largest Lego collections in the UK.
You are a savvy man, Tom Langford.
I wish, do you know what?
There's so much more Lego one could buy, right?
But I just love the fact that in only, I think,
is it only in two instances?
I can't see.
But only in two instances does a VC app perform the Lego purchase.
Every single other time. And if you're canny in what you buy
are you know what's you know if you then that that outperformance is huge absolutely huge
so so this is like a set you buy say you buy a set today off a millennium falcon
yeah in a few years time you're saying it'll go up in value if you sell it secondhand?
Yes.
Keep it in its box, I imagine.
Keep it in pristine condition.
There are figures, as in the little mini figures,
that go for over $2,000.
My goodness.
Wow.
It's, you know, Boba Fett is one of the most popular ones.
I think Captain Rex is it
something like that
Star Wars ones
and this is because there are incels
like yourself, there are people out there
who don't have any sex life
who just
sit in their sad
little back bedrooms and they're
spending all of their money
on Lego
I'm going to pick you up on one thing there Bad little back bedrooms, and they're spending all of their money on Lego.
I'm going to pick you up on one thing there.
I only have one bedroom, not a back bedroom and a front bedroom.
Wow, that is beautiful.
Tom the Incel Langford. That is just like his name from now on.
So descriptive.
So descriptive.
I did.
But Lego is the most wonderful thing, though.
I mean, it is incredibly expensive to buy new,
but the thought that secondhand actually raises in price quite so much
is remarkable.
Yeah.
If you're savvy with it, especially some of the special editions,
they also have the VIP programs, is sometimes have limited releases um some things
you know go that they have a phrase in their website hard to find and you know all that
sort of stuff some stuff goes hard to find very very quickly um wow but uh yeah it's it's i i like
what it's it's relaxing i was talking to a friend about it and he said um he was saying that
I always thought that making lego was a really childish thing and I was I was thinking this as
I was as I was making a jigsaw puzzle on my coffee table and then I realized hang on I'm just doing
exactly the same thing you know it's it's clears your mind you focus just on the bricks and the
techniques and what you're building and all that sort of thing I think it's a lot of fun I think It clears your mind. You focus just on the bricks and the techniques
and what you're building and all that sort of thing.
I think it's a lot of fun.
I think it's a lot of fun.
But it's expensive.
It's a very expensive hobby, but yeah.
Very cool.
Of all the hobbies Tom has, photography and Lego,
I'm surprised you have enough money left to eat
at the end of the month.
Trust me, I'd be twice the size of the man
I am now if I did.
Right, excellent, Graham.
Thank you.
And so we come, well, careening around the corner
from Tuesday week until the end of the show.
Gentlemen, thank you so, so much.
It's been, as usual, a massive pleasure.
Jav, thank you very much.
Much appreciated.
You're welcome, as always.
And Graham, you are a leg-end, sir, for standing in for the,
well, I'm going to say it,
just somewhat lazy and disappointing Andrew Agnes.
Well, thank you very much.
And I look forward to my payment in Haribo in due course.
Absolutely.
Andy will be sending that along.
He's got lots of out-of-date stuff.
Because I don't know if you've seen him recently.
There's not a lot of him.
We'll bring it to your housewarming.
Yes, there you go.
Perfect.
Perfect.
Or, no, I'll tell you what, I'll hide it in my usual
hiding spot in my flat and you were going to drop in,
weren't you?
Yeah, I'll be round.
Put it in your jacket pocket next to your passport.
All right.
You'll never find it.
And stay secure, everyone.
And that was the wrong one this week in infos no come on tom come on tom you can do it struggling what what's he done with her
oh there it no it's never happened before oh God, it's the first time. Honest.
He's normally a lot more professional than this, Graham.
Why the f*** has the outro gone?
Hold on.
Oh my gosh.
It's been removed from the media board.
How can you do 170 episodes?
174.
To be like this?
174. board. How can you do 170 episodes to be like this? Right, bear with.
Just hum it, Tom.
No one will know the difference.
No one's got this far in the podcast anyway.
They all switched off when they heard I was on.
No, we're nearly there. Don't worry.
It's going to be worth it, honestly.
Oh, yeah.
God.
I can't.
H-U-L-T-R-O-G-E-L.
This is...
It's all sex life.
Do you know what?
I reckon Andy's done this on purpose.
Sabotaged it, hasn't he?
Yeah, he has.
No, I'm going to drop that in there.
It's going to upload.
You should just put out this raw audio on your Patreon.
This is what people want.
They want to see you, the confidential version.
This is what we put out normally.
Yeah.
Go on.
Anyway, stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
See what I have to deal with, Graham, every week.
I don't think we need to do an outro part, do we really?
Right, see you gents.